Verification/proof of player identity

[Legonzaur]

Statement of the issue

We currently have no way to verify the identity of an http request made by a client. A system that allows 3rd party HTTP servers to know if an HTTP request was made by a genuine player would be great.

Use case

For Tone API, this would allow players to authenticate with our backend. This would mean we can create per-player settings on the backend, and allow players to edit them using a client mod.

We would also be able to let users link their UID with Discord (using a client mod and a discord bot for example) Linking UIDs with Discord users would mean being able to login through our website (using Oauth2) and change settings. It would also facilitate fetching one user's stats from the discord bot, or even change settings through the bot.

Proposal

I'd suggest to use a token-based authentication system

1. client logins to masterserver, mastserver gives a token to the client
2. client sends an HTTP request containing the token to a 3rd party HTTP server
3. 3rd party server checks authenticity of token with masterserver using an HTTP request

Informations the masterserver could return :

• if the token is genuine or not
• token owner UID
• token expiration date.

[pg9182]

Some thoughts:

• Each third-party server should have a unique token if we do this.
• Would probably use a short-lived JWT as the third-party token to reduce load on Atlas.
• For linking the UID, we can (and should) add a built-in button to the lobby which opens an Atlas account page in a browser. That link would be populated during origin auth.
• This will come after the API redesign.